Alpine: xen: security update to 4.10.4-r3

high Tenable Self-Hosted Container Security Plugin ID 407743

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or
possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write
unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the
memory access with the preceding ones. In other words, the unlock may be seen by another processor before
all the memory accesses within the "critical" section. As a consequence, it may be possible to have a
writer executing a critical section at the same time as readers or another writer. In other words, many of
the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe
anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest
could exploit the race. For instance, there is a small window where Xen can leak memory if
XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a
hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot
be excluded. (CVE-2020-11739)

- An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active
profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map
xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not
scrubbed. (CVE-2020-11740)

- An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling)
to obtain sensitive information about other guests, cause a denial of service, or possibly gain
privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code
uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a
potential adversary: it trusts the guest not to modify buffer size information or modify head / tail
pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.
(CVE-2020-11741)

- An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service
because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for
success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy
handling where success may be returned to the caller without any action taken. In particular, the status
fields of individual operations are left uninitialised, and may result in errant behaviour in the caller
of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a
backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller
without doing anything, which may cause crashes or other incorrect behaviour. (CVE-2020-11742)

- An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service
because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for
success, and a negative number for errors. Some misplaced brackets cause one error path to return 1
instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds
with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way
that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a
Linux based dom0 or backend domain. (CVE-2020-11743)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-11739

https://security.alpinelinux.org/vuln/CVE-2020-11740

https://security.alpinelinux.org/vuln/CVE-2020-11741

https://security.alpinelinux.org/vuln/CVE-2020-11742

https://security.alpinelinux.org/vuln/CVE-2020-11743

Plugin Details

Severity: High

ID: 407743

Version: Revision 1.35

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-11741

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/19/2019

Reference Information

CVE: CVE-2020-11739, CVE-2020-11740, CVE-2020-11741, CVE-2020-11742, CVE-2020-11743

IAVB: 2019-B-0091-S, 2020-B-0019-S, 2020-B-0023-S